Solved

Lettings users append to file but not read the file.

Posted on 1998-01-09
13
213 Views
Last Modified: 2013-12-25
The question that needs to be answered is...what is the customary way that a FrontPage "web-bot" is allowed to write to a text file, but users are not allowed to view this file in their browser, and if the customary way does not work, why not?

I have a web site on an NT server, created with FrontPage.  We inserted a web-bot component that appends form results to a file.  We would like to prevent users from reading this same file.  

This seems like an obvious solution...tweak the NTFS permissions so that IUSR, Interactive, and NEtwork all have write-only access to the file.  But the event log shows a different story...if IUSR has only "write" permissions to that result file, he cannot post the results.  The event log shows that the failing operation was a "read."

Evidently this ISAPI web-bot or whatever requires "read" permissions in order to write to a file.  But I don't want people to read it.  

I have also tried dropping it into _private.  No dice, I can still enter the full URL and see the file.  As far as putting a dummy "index.html" file, please don't go any further if that's your answer.

Thanks in advance.
 
0
Comment
Question by:marimba
  • 8
  • 3
  • 2
13 Comments
 

Author Comment

by:marimba
ID: 1856298
Edited text of question
0
 

Author Comment

by:marimba
ID: 1856299
Edited text of question
0
 

Author Comment

by:marimba
ID: 1856300
Adjusted points to 400
0
 

Author Comment

by:marimba
ID: 1856301
Edited text of question
0
 
LVL 5

Expert Comment

by:julio011597
ID: 1856302
I've no experience in FrontPage related stuff, so this may be nonsense; if this is the case, sorry.

If you mean preventing web clients from reading your file, the easyest and usual way is to put your file outside the web server's document root; this way, no HTTP request can reach your file, while your server still can access it.
0
 

Author Comment

by:marimba
ID: 1856303
As I stated before, clients must be able to write to the file.  Thus, it must be HTTP-accessible, or accessible to a process that can write to the file.

This can't be that unusual of a situation, where you want browser clients to be able to write their personal info to a file, but you don't want them to be able to read it?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:julio011597
ID: 1856304
As far as HTTP is involved, client _never_ write to files; they post requests to web servers, or to CGI programs through them.

But i don't know what a "FrontPage web-bot" is, so...

good luck.
0
 

Author Comment

by:marimba
ID: 1856305
Thanks for giving it a shot, anyway.  I think the "web bot" component is an ISAPI filter.  While HTTP itself doesn't write to files, with IIS and FrontPage, it seems that this ISAPI procedure uses the security credentials of the HTTP service, which is why I had no luck when I stuck it outside the "virtual directory" tree.

That's why this is a 400 point question, I need a "front page expert," but thanks for trying!
0
 
LVL 3

Accepted Solution

by:
bigelos earned 400 total points
ID: 1856306
I wouldn't call myself a frontpage expert, but I do believe there is a solution to your problem.

First of all, interactive must have r/w permissions.  (I give it full control...).  Note that this is for users interacting locally, so it won't work if users have access to this machine.

Now, if your FrontPage bot runs in the same manner as a cgi-script, it should work fine.  Otherwise, you might have to give r/w permissions to the local system.  Of course, everyone must have read permissions still.

Also, you probably don't want to share this directory...

Feel free to reject this if it doesn't work.  I was having the exact problem, except with a cgi script, and this fixed it.
0
 

Author Comment

by:marimba
ID: 1856307
Your solution (as I understand it) fulfills only one of the required results.  Users can write, but they also can read, and I don't want them reading the file.

If "everyone" has read permission, and "interactive" has read permission, then IUSR gets "read" permission.

WIth your solution, what mechanism prevents a user from reading the file?
0
 
LVL 3

Expert Comment

by:bigelos
ID: 1856308
Sorry, I got involved in another problem, and then when I came back to this, I forgot that you didn't want users to read.  Turn off the read/write permission for everyone.  Use a cgi script or frontpage bot to do the writing/appending.  (cgi script uses the permissions set by interactive).  You'll probably have to use a form to submit...

I did this for a feedback form, and also for a hit counter(not displayed, personal use, etc.)
0
 

Author Comment

by:marimba
ID: 1856309
I think this is pretty much a confirmation of what I have uncovered on my own, that the FrontPage ISAPI components just won't do what we're hoping for, and it will take a CGI or ASP script to get it done, so that it will be able to run outside of the IUSR credentials.
0
 
LVL 3

Expert Comment

by:bigelos
ID: 1856310
Sorry I couldn't help you more..

(Like I said, I'm not a FrontPage expert, mainly because my ISP hates Mickeysoft and won't run their apps/extensions.)
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now